wbinfo: Add --change-secret-at=dcname

Add WHATSNEW.txt entry and update wbinfo man page.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 94ced206dbbf6e8d2fe12c289a0b00b532448be6..4a40b7147dd7ec01f7af5dcf0a7c51af33657ca5 100644 (file)
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -74,7 +74,13 @@ disable colour output. See https://no-color.org/ for a description of
 this variable. `samba-tool --color=always` will use colour regardless
 of NO_COLOR.
 
+New wbinfo option --change-secret-at
+------------------------------------
 
+The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
+which forces the trust account password to be changed at a specified domain
+controller. If the specified domain controller cannot be contacted the
+password change fails rather than trying other DCs.
 
 
 REMOVED FEATURES

diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
index ddd1e27e02ba499b06be9956665a508463e288c5..0426a0454c64a64f94c679561c89d5117e28cbd6 100644 (file)
--- a/docs-xml/manpages/wbinfo.1.xml
+++ b/docs-xml/manpages/wbinfo.1.xml
@@ -143,6 +143,14 @@
                </para></listitem>
                </varlistentry>
 
+               <varlistentry>
+               <term>--change-secret-at <replaceable>domain-controller</replaceable></term>
+               <listitem><para>Change the trust account password at a specific
+               domain controller. Fails if the specificied domain controller
+               cannot be contacted.
+               </para></listitem>
+               </varlistentry>
+
                <varlistentry>
                <term>--ccache-save <replaceable>username%password</replaceable></term>
                <listitem><para>Store user and password for ccache.

diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 55b9e268c395807e34378d4a9163c615e81479cd..de54373afe8ba09b7842fbceaed07566b9f994ab 100644 (file)
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -849,6 +849,43 @@ static bool wbinfo_change_secret(const char *domain)
        return true;
 }
 
+/* Change trust account password chose Domain Controller */
+
+static bool wbinfo_change_secret_at(const char *domain,
+                                   const char *domain_controller)
+{
+       wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
+       struct wbcAuthErrorInfo *error = NULL;
+       const char *domain_name;
+
+       if (domain) {
+               domain_name = domain;
+       } else {
+               domain_name = get_winbind_domain();
+       }
+
+       wbc_status = wbcChangeTrustCredentialsAt(
+               domain_name, domain_controller,  &error);
+
+       d_printf("changing the trust secret for domain %s via RPC calls %s\n",
+               domain_name,
+               WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
+
+       if (wbc_status == WBC_ERR_AUTH_ERROR) {
+               d_fprintf(stderr, "wbcChangeTrustCredentials(%s): "
+                         "error code was %s (0x%x)\n",
+                         domain_name, error->nt_string, error->nt_status);
+               wbcFreeMemory(error);
+       }
+       if (!WBC_ERROR_IS_OK(wbc_status)) {
+               d_fprintf(stderr, "failed to call wbcChangeTrustCredentials: "
+                         "%s\n", wbcErrorString(wbc_status));
+               return false;
+       }
+
+       return true;
+}
+
 /* Check DC connection */
 
 static bool wbinfo_ping_dc(const char *domain)
@@ -2291,7 +2328,8 @@ enum {
        OPT_LOGOFF_USER,
        OPT_LOGOFF_UID,
        OPT_LANMAN,
-       OPT_KRB5CCNAME
+       OPT_KRB5CCNAME,
+       OPT_CHANGE_SECRET_AT
 };
 
 int main(int argc, const char **argv, char **envp)
@@ -2507,6 +2545,13 @@ int main(int argc, const char **argv, char **envp)
                        .val        = 'c',
                        .descrip    = "Change shared secret",
                },
+               {
+                       .longName   = "change-secret-at",
+                       .shortName  = 0,
+                       .argInfo    = POPT_ARG_STRING,
+                       .arg        = &string_arg,
+                       .val        = OPT_CHANGE_SECRET_AT,
+                       .descrip    = "Change shared secret at Domain Controler" },
                {
                        .longName   = "ping-dc",
                        .shortName  = 'P',
@@ -3034,6 +3079,12 @@ int main(int argc, const char **argv, char **envp)
                                goto done;
                        }
                        break;
+               case OPT_CHANGE_SECRET_AT:
+                       if (!wbinfo_change_secret_at(opt_domain_name, string_arg)) {
+                               d_fprintf(stderr, "Could not change secret\n");
+                               goto done;
+                       }
+                       break;
                case 'P':
                        if (!wbinfo_ping_dc(opt_domain_name)) {
                                goto done;